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(54) System and method for managing try-and-buy usage of application programs 



(57) A system and method for managing the distri- 
bution of licensed application programs stored on a 
server over a distributed computer system maintains 
control over the program even after the program has 
been distributed to a client computer from a provider on 
an information server. Protection may include license 
expiration date verification, authorized user ID verifica- 
tion, and protection against decompilation and reverse 
engineering by maintaining the program in an encrypted 
form until verification of the expiration date and user 
identity are complete and the program is ready for de- 
coding, loading into the client computer CPU, and exe- 
cution. A user identifies a program for trial use by any 
conventional means such as by using a network brows- 



er on the World Wide Web. The server recognizes a user 
request to access the application program. The server 
may have an agent on the client computer for performing 
certain predetermined administrative tasks. This agent 
may take the form of an application builder program 
module, provided by the trial application provider, which 
is resident on the client computer. The server (including 
the agent) determines whether program access condi- 
tions are satisfied, and if satisfied transmits a version of 
the program to the client. The transmitted file includes 
an encrypted portion. The server and agent also verify 
that the user is currently entitled to execute the applica- 
tion program including that the trial license has not ex- 
pired at the time the user initiates execution, and gen- 
erates an executable version of the application program. 
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Description 

Thepr s ntinv ntionr latestosyst ms and meth- 
ods for managing the distribution of lie nsed application 
programs and application program components, includ- 
ing the distribution of trial versions of applications and 
components that automatically expire after the expira- 
tion of predefined trial usage privileges. 

BACKGROUND OF THE INVENTION 

For the purposes of this document, the term "appli- 
cation program" is defined to include applets and other 
application program components. A component is an in- 
complete program fragment. Users can integrate appli- 
cation program components into a new application us- 
ing an appropriate tool, such as the Application Builder 
of the present invention, discussed below. 

A number of different "try and buy" systems for dis- 
tributing application programs and other types of com- 
puter software have been used in prior art systems. The 
most common mechanisms for limiting the rights of the 
users of the trial versions of application programs are 
"time bombs," which disable the program after the expi- 
ration of a certain date, "usage metering" schemes 
which attempt to meter the number of hours of usage of 
the program and disable it after usage reaches a prede- 
fined limit, and various "capability limitation" schemes 
in which the capabilities of the trial version of the appli- 
cation are so limited that end users are motivated to li- 
cense the standard version of the program. 

While software security systems in the past have 
attempted to prevent program copying using a number 
of copy protection schemes, including requiring end us- 
ers to know a password or to possess a physical token 
that enables use of the program, such copy protection 
systems have generally not been used in existing try and 
buy software dissemination systems. The problem is 
particularly acute when the program is distributed over 
a distributed computer system, because the program file 
sent to a user over a wire or other communication chan- 
nel is inherently copyable. 

It is a goal of the "try and buy" system and method 
of embodiments of the present invention to prevent us- 
ers from disseminating executable copies of application 
programs to other end users, because those other end 
users have not necessarily agreed to the licensing terms 
of the program's owner. 

Another goal of the embodiments is to give the own- 
ers of application programs reliable information about 
the parties who have requested trial use of those pro- 
grams. 

Another goal of the embodiments is to make acqui- 
sition of limited use rights (e.g., the right to use a trial 
version of a program) as automatic as possible so as to 
make the us of trial versions of programs as easy as 
possible. 

An th r goal of th syst m and m thod of embod- 



iment f thepr sent invention is t limit g n ration of an 
intelligibl v rsion of a file including an application pro- 
gram t a user only when the us r is curr ntly entitled 
to access th fil . 
5 A furth r goal of th mbodim nt is provide a sys- 
tem and m thod for limiting th period of time and stor- 
age location during which an intelligible version of a fil 
is available to a user. 

Another goal of the system and method of embod- 
10 iment of the present invention is to limit generation of an 
executable version of an application program to a user 
only when the user is entitled to execute the application 
program at the time execution is attempted by the user. 

15 SUMMARY OF THE INVENTION 

In summary, the present invention provides a sys- 
tem and method for managing the distribution of li- 
censed files including application programs over a dis- 
20 tributed computer system that maintains control over the 
files even after the file has been distributed from a pro- 
gram provider on a server to an end user on a client 
computer. Protection includes license expiration dat 
verification, authorized user verification (with or without 
25 a termination date grace period) protection, and protec- 
tion against decompilation and reverse engineering by 
maintaining the application program fife in an encrypt d 
form until verification is complete and the program is 
ready for decoding and execution. 
30 The inventive method and system for managing us- 
age of an application program initially stored on a server 
coupled to a distributed computer system by a user in- 
cludes recognizing a user request to access an applica- 
tion program, determining whether predetermined ac- 
35 cess conditions are satisfied, transmitting a version of 
the application program to the computer associated with 
the user making the request for receipt and storage only 
when the access conditions have been satisfied, further 
verifying prior to program execution that the user is cur- 
40 rently entitled to execute that received application pro- 
gram, and generating an executable version of the ap- 
plication program from the transmitted version only if the 
verification is affirmative. 

45 BRIEF DESCRIPTION OF THE DRAWINGS 

Examples of the invention will now be described in 
conjunction with the drawings, in which: 

Fig. 1 is a block diagram of an embodiment of a dis- 
tributed computer system embodying the present inv n- 
tion. 

Fig. 2 is a schematic representation of an exempla- 
ry Web site page used to disseminate trial versions of 
programs that are available for licensing. 

Fig. 3 is a block diagram of an exemplary header 
record of th stored v rsion f th Application Program 
on a server in a preferred mbodiment of the invention. 
Fig. 4 is a block diagram of an xemplary header 



2 



3 



EP 0 778 512 A2 



4 



record of th transmission format of the trial v rsion of 
an application program shown in Fig. 3 in a pref rred 
embodiment of the invention. 

Fig. 5 is a block diagram of an attemat form of an 
x mplaryhead r record of th transmission f rmatof 
the trial version of an application program shown in Fig. 
4 in another preferred embodiment of the invention. 

Fig. 6 is a block diagram of an exemplary header 
record of the execution format of the trial version of an 
application shown in Fig. 4 in a preferred embodiment 
of the invention. 

Fig. 7 is a schematic representation of a menu pre- 
sented by the Application Builder for executing trial ver- 
sions of Application Programs. 

Fig. 8 is a Mow chart of an embodiment of the trial 
application program execution method of the present in- 
vention. 

Fig. 9 is a flow chart of an alternative embodiment 
of the trial application program execution method of the 
present invention. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

Referring to Fig. 1 , there is shown a distributed com- 
puter system 100 having many client computers 102 
and at least one information server computer 104. In the 
preferred embodiment, each client computer 1 02 is con- 
nected to the information server 104 via network inter- 
connectivity means such as the Internet 106, although 
other types of communication connections could be 
used. While most client computers are desktop comput- 
ers, such as Sun workstations, IBM compatible comput- 
ers and Macintosh computers, virtually any type of com- 
puter can be a client computer. One or more users (not 
shown) are associated with each client computer 102. 

In the preferred embodiment, each client computer 
includes a CPU 1 07, a user interface 1 08, primary mem- 
ory 118 (such as fast random access memory), user 
communication interface 119 for communicating with 
the information server computer 1 04 via communication 
network 106, and additional memory 109 for storing an 
operating system 110, a World Wide Web browser pro- 
gram 111, an Application Builder program 112, and one 
or more Application Programs 117. The Application 
Builder program 1 1 2 and Application Programs 1 1 7 con- 
tain features provided specifically by the present inven- 
tion. Optionally included among these features is a client 
Licensee ID 103 imbedded in the Application Builder 
1 1 2 and used for access verification as described in de- 
tail below. The Application Builder 112 also preferably 
includes a pair of public and private keys 113 that are 
unique to the client computer, a program decoder mod- 
ule 1 1 4, a license handling module 1 1 5, and a program 
execution module 116. 

The information server 104 includes a central 
proc ssing unit (CPU) 120, primary m mory 122 (i.e., 
fast random access m mory) and secondary memory 
124 (typically disk storage), a us r int rfac 126. and a 



communications int rfac 128 f r communication with 
th cli nt computers 102 via th communications n t- 
work 106. 

For th purposes of the pres nt discussion, it will 
s b assumed that th information s rv r*s secondary 
m mory 124 st res: an operating syst m 130, a World 
Wide Web server application and a corresponding set 
of Web pages 132, a trial licensing application program 
1 34 for handling the licensing of Application Programs 
io to end users associated with client computers 102, a 
copy of the aforementioned Application Builder 136 for 
transmission and licensing to end users, a pair of public 
and private encryption keys 1 37 for the server, and cop- 
ies of the trial versions of various Application Programs 
is 1 38, 1 40, 1 42 for transmission and licensing to end us- 
ers. 

It is also assumed for the purposes of the present 
discussion that the information server 104 is a World 
Wide Web Server, but other information servers may al- 
so tentatively be employed. The Web Server application 
1 32 controls the server's responses to requests by client 
computers 102 to retrieve files using standard World 
Wide Web (WWW) protocols. The Web Server Applica- 
tion works with a set of Web source files, which are th 
25 documents and other files or objects that client comput- 
ers 102 receive in response to properly formed re- 
quests. The present embodiment does not modify the 
Web Server application 1 32. Thus, operation of the Web 
Server site insofar as client computers 102 are con- 
so cemed remains unchanged by the present embodiment 
Referring to Fig. 2 there is shown a schematic rep- 
resentation of an exemplary home page 1 60 of the Web 
site (information server) 104, accessible by a user using 
client computer 102. The home page 160 includes a 
3S general information section 163 having menu selection 
buttons for obtaining information about the Try & Buy 
Program 165, Licensing Terms and Conditions 166, in- 
formation about the Application Builder 167, and infor- 
mation about one or more Application Programs 168. 
^0 For example, each Application Program may be d - 
scribed in terms of its functionality, storage requir - 
ments, minimum processor requirements for execution, 
monetary costs for permanent versions of the applica- 
tion program, and the like. Licensing terms and condi- 
45 tions may be Application Program specific, and furth r 
may contain provisions for specific Licensees or classes 
of Licensees. 

The home page 160 of the Web site (information 
server) 1 04 also includes a Trial Version Program Down- 
so load Selection Section 164 having a submenu 169 that 
includes selection buttons for each of several Applica- 
tion Programs as well as a button 170 for selecting th 
Application Builder. To download a Trial Version of any 
of the listed programs, the user merely selects one or 
ss more programs of interest from the menu in section 1 64. 
Alt mat ly, the W b page may contain specialized 
HTML annotation , such as Java languag appl tsthat 
make contact with the us r*s Application Build r and 
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cause it display r mot lyavailabl applications as if th y 
were on a similar organizational footing with locally 
availabl applications. 

The Application Program file is stored in on or 
more of sev ral diff rent formats d p nding on wh r 
in the distributed comput r system 100 the fil xists r 
is stored. There are four storage formats of particular 
interest: 

• the Server Format, which is the format of the Appli- 
cation Program in Secondary Memory 124 of Infor- 
mation Server 104 prior to selection by a particular 
user; 

• the Transmission Format, which is the format of the 
Application Program in storage in Secondary Mem- 
ory 124 of Information Server 104 after selection by 
user for downloading to client computer 102, and 
during transmission to the user, 

• the Client Storage Format, which is the format of 
the Application Program in storage in memory 109 
of the client computer 102 after the downloading is 
complete but prior to verification and execution (de- 
scribed hereinafter); and 

• the Execution Format, which is the format of the Ap- 
plication Program in temporary storage in RAM 118 
and/or CPU 107 during execution of the Application 
Program. 

The differences in the formats relate generally to ex- 
istence and content of ancillary file information associ- 
ated with the Application Program and the user (where 
applicable) such as information contained in header 
records, and with the encrypted or decoded condition of 
the executable program and other fields. Each of these 
formats is described in greater detail below with respect 
to Figs. 3-6. 

For the purposes of this document, the terms "de- 
code" and "decrypt" shall be used synonymously to refer 
to the process of reversing the encryption of a set of 
information. Similarly, the adjectives "decoded" and "de- 
crypted" shall be used synonymously to refer to a set of 
unencrypted information that was generated from a cor- 
responding set of encrypted information. 

In reference to Fig. 3, a schematic illustration of the 
Server Format 180 of an Application Program trial ver- 
sion 1 38 is shown. The Server Format includes the non- 
encrypted application program 181 , and may optionally 
include information fields for Application ID 1 83, License 
Termination Date 185, and Licensee ID 184. These files 
are optional because prior to selection by a particular 
user, the file is generic for all potential users and no such 
information (except the Application ID) is applicable to 
the application program file. The particularized server 
format includes each of the Application ID 183, License 
Termination Date 185, and Licensee ID 184 fields and 
may ith r be created and stored as an actual file on the 
s rver rmay xist only transiently as the generics rver 
format is particularized to th requ sting us r and n- 



crypted to generate the transmission f rmat prior to 
transmission to the cli nt computer. Note that th serv r 
formatted version of the application program could b 
stored in an ncrypted form, but decryption followed by 
s ncryption would b required to encrypt the application 
program with the public k y associated with th cli nt 
computer Application Builder 112. 

The Server Format of an application program in th 
preferred embodiment also includes a copy of the serv- 
io er's public key 187 (to be used by client computers), 
documentation 188 for the application program, as well 
as text 189 representing the trial licensing terms for the 
application program and relicensing terms. 

Once the user has selected an Application Program 
is for trial use the user is associated with a licensed version 
of the Application Builder. This Application Builder li- 
cense may be preexisting or may have been allocated 
to the user in conjunction with selection and download- 
ing of the trial version of an Application Program. In i- 
20 ther situation, the Application Builder is licenced to the 
user and a licensee identifier is associated with that us- 
er. Server 104 includes an Encryption Module 135 that 
encrypts the Application Program stored in Server For- 
mat 180 based on a public key 113 associated with the 
2S user to generate a transmission format of the same Ap- 
plication Program. 

In reference to Fig. 4, a schematic illustration of the 
Transmission Format 186 of an Application Program tri- 
al version 138 is shown. The transmission format in- 
30 eludes an encrypted version of the Application Program 
executable code 181 , an Application Program ID 183, a 
proper licensee ID for the particular user 184, a license 
termination date 1 85, as well as copies of the public key, 
documentation and license informational fields 187, 
35 188, 189. In the preferred embodiment all fields of the 
Transmission Format 186 are encrypted with the user's 
Application Builder public key 1 1 3 to prevent eavesdrop- 
ping and unauthorized copying or modification of the ap- 
plication program and/or control information. 
to Furthermore, in the preferred embodiment the con- 
trol information (i.e., header fields 183-185) is first n- 
crypted with the server's private key prior to encryption 
of the entire file 186 with the user's Application Build r 
public key. In this way double encryption is used to pro- 
4S tect the control information. More generally, it is desira- 
ble that none of the Application Program itself, and none 
of the header fields 183, 184, 185, appear as clear t xt 
during transmission from server 104 to client comput r 
1 02 over the network 1 06. 
so While the term "header" fields or information has 
been applied to the identification information fields in 
this description, and such information fields are shown 
for simplicity as a plurality of contiguous records in the 
file (e.g. Figs 3, 4, and 6), it should be understood that 
ss the identification information may be placed in any pre- 
d t rmined location in th application program fil so 
long as the Application Build r 112 can locate and int r- 
pret the information during th v rification and decoding 
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procedures prior to xecution of the application pro- 
gram. For xampl , Fig. 5 is a block diagram showing 
av rsionofth transmission format in which th licens 
ID 184, and Lie ns Termination Date 185 are located 
within the body of Application Program 1 , which is split 
into parts A, B, and C. Such intermingling of th id nti- 
fication and security information withing the body of the 
Application Program is generally applicable to all of the 
formats described. Placement of the identification infor- 
mation within the application program itself enhances 
security by making it extremely difficult for even an au- 
thorized user of the application to locate and alter the 
identification information, including the licensee ID and 
the license termination date. 

The Client Storage Format of an application pro- 
gram trial version, while not shown in a separate figure, 
is the same as the Transmission Format 186, with a de- 
crypted copy of the control information (header fields 
183-185) "pre-pended" at the front of the file. The de- 
crypted control information is not "trusted" by the Appli- 
cation Builder because it is subject to manipulation by 
the user, but is rather compared with the encrypted con- 
trol information at execution time. In an alternate em- 
bodiment, the Client Storage Format is the same as the 
Transmission Format, and the control information is not 
stored in clear text form. 

In reference to Fig. 6, a schematic illustration of the 
Execution Format 196 of an Application Program trial 
version 138 is shown. The Execution Format 196 in- 
cludes a decrypted and decoded version of the Applica- 
tion Program. It need not necessarily include application 
identifier 183, licensee identifier 184, or licensee termi- 
nation date 185. Although such information may be car- 
ried along in the file, it does not represent executable 
code and serves no further security purpose after veri- 
fication and decoding. 

In the preferred embodiment the executable code 
is only available transiently during execution of the Ap- 
plication Program in RAM 118 or CPU 107 of the client 
computer. It is not stored in decrypted or decoded form 
on any mass storage device in a human readable form. 
The Execution Format of the Application Program is es- 
sentially a decrypted version of the transmission version 
that is generated by the Application Builder 112 on the 
client computer 102 after the Application Builder has 
verified the validity of the license for the particular user 
and has decoded the Application Program so that it is 
in the proper format for execution by the client computer 
102. 

Referring to Fig. 7, after one or more trial Applica- 
tion Programs have been downloaded to and stored on 
client computer 102, a user associated with that client 
computer may decide to execute one of the Application 
Programs. In one embodiment of the invention, the user 
will be presented with a menu 192 on a display screen 
of us r int rface 108, including a list 193 of avaitabl 
application programs. Th us r may then s lect an Ap- 
plication Program, for xampl Application^ Th client 



comput r will r spond to this selection by displaying th 
Expiration Dat of th Selected Application 194, and 
may pr s nt oth r information pertaining to xecution 
of the selected application, ft may for xampl provkJ 

5 ad scription of input/output data typ s.fll formats, r - 
lated programs, and the like to assist the user in using 
the program. This information is found in the documen- 
tation field 188 of the stored application program. Addi- 
tional menus for viewing other information, such as li- 

10 cense terms and relicensing information (from field 1 89) 
may also be provided. These displays may be integrated 
by the Application Builder with similar displays for locally 
stored, fully licensed programs. 

Referring to Fig. 8, an embodiment of the method 

« 300 of the present invention for managing use of an Ap- 
plication Program by a user on a distributed computer 
system 100 is shown. The Application Program is initial- 
ly stored as a Server Format version 180 of the Appli- 
cation Program on server 104. Execution starts at Step 

*° 302 in response to a user's request for a trial version of 
an Application Program. At step 304 the server 104 
monitors requests for information and program access 
from the client computer connected to the server com- 
puter. Application Builder 112 may act as an agent for 

6 the server by initiating communication with the server in 
response to a request by client computer 102. At step 
306 server 104 recognizes a request from a user asso- 
ciated with one of the client computers 102 to access 
the trial version of an Application Program. 

30 Upon selecting an application program (or the Ap- 
plication Builder) for downloading, user will optionally be 
presented with a reminder that the requested program 
is made available to the user for trial use onfy under con- 
ditions of the license agreement. The terms of the li- 
35 cense agreement are then displayed for the user's re- 
view on the display screen, and the user is prompted by 
the server (possibly through the Application Builder 11 2 
acting as an agent for the server) to accept the license 
terms. In one embodiment of the invention, the accept- 
*o ance of the license is preferably made explicitly by an 
affirmative action by the user before the selected appli- 
cation program will be downloaded. For example, the 
user may be requested to input a identifying name, or 
to retype a verification code such as the user's licensee 
<s ID for example, presented by the server for transmission 
to the server. Alternatively, the acceptance may be mor 
passive, such that unless the user declines to accept 
the license terms, the license is accepted and file down- 
loading commences. 
50 At step 308, the server compares predetermined 
program access restrictions for the Application Program 
with client computer access privileges and determines 
whether predetermined access conditions are satisfied 
by the requesting client computer. At step 310, the serv- 
es er determines whether the client privil g s satisfy Ap- 
plication Program access requir ments.Th acc ss re- 
quirements in the pr f rred embodim nt ar (A) wn r- 
ship fa valid liens f r the Application Build r by the 
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us r or associated client computer, (B) receipt of the us- 
er's Application Build r public encryption key from th 
us r*s Application Build r, and (C) xplicit user acc pt- 
anc of the licensing t rms for the trial v rsion of th 
s lected Application Program. Th information from th 
us r will typically id ntifyth user and the type of com- 
puter plafform being used. This information about the 
user can be automatically provided to the owners of the 
requested application program, thereby providing the 
owners with reliable information about the parties who 
have requested trial use of those programs. 

At Step 312, if the access conditions are not satis- 
fied then access to the trial version of the user selected 
Application Program are denied (at least temporarily un- 
til access restrictions are satisfied). However, if the ac- 
cess conditions are satisfied (Step 31 4) then server 104 
generates a Transmission Version of the user selected 
Application Program from the Server Format version on 
the server, and then transmits the Transmission Format 
version of the requested Application Program to the cli- 
ent computer. The Transmission Format version of the 
Application Program is preferably generated for a par- 
ticular user and contains user identification information 
including a licensee identification code or number 184 
as described earlier with respect to Fig. 3. Furthermore, 
all or a significant portion of the Application Program 
code is encrypted in the Transmission Format version 
of the Application Program. In the preferred embodi- 
ment, the Application Program is encrypted using RSA 
encryption programs with the user's public key being 
used as the encryption key. As understood by those 
skilled in the art, the encrypted Application Program can 
be decoded by corresponding RSA decoding programs 
with the user's private key. 

The transmission formatted version is received by 
the client computer and is preferably stored in memory 
109 in the client storage format for later execution and 
use. 

The Application Program now resides on the client 
computer. While the user may choose to immediately 
execute the program, the user could also desire to use 
the program for the first time or additional times at a fu- 
ture date. It is therefore important to provide a mecha- 
nism for verifying that the client computer is still entitled 
to use the Application Program at the current or ambient 
date. 

In Step 316 the Application Builder 112 acting as an 
agent for the server 104 (independent of connection be- 
tween the server 1 04 and the client computer 1 02 at that 
time) verifies prior to execution of the program that the 
client computer is currently entitled to execute the Ap- 
plication Program. To perform this "control information" 
verification, the stored, doubly encrypted control infor- 
mation is decrypted using the Application Builder's pri- 
vate key 11 3 and the server's public key 187 (and is op- 
tionally compared with the clear text version of the con- 
trol inf rotation). Using the decrypted control informa- 
tion, the Application Builder compares the licensee ID 



184 in the Application Program with the licens e ID or 
IDs associated with the Application Build r, and corn- 
par sth license termination date 185 in the Application 
Program with the curr nt date. Only wh n th status of 
the us r is verified does th Application Builder 1 1 2 de- 
crypt th encrypt d Application Program so as to pr - 
pare it for execution. The decrypted Application Pro- 
gram is preferably never stored in non-volatile memory 
of the client computer, and only exists in decrypted form 
during actual program execution. 

It is recognized that the protection afforded by com- 
paring a license expiration date encoded in the Applica- 
tion Program with the ambient computer date may in 
some instances be circumvented by altering the client 
computer ambient date; however, such alteration typi- 
cally introduces sufficient other problems into system 
operation and file management in the user's computer 
that users are not inclined to use such measures. Se- 
curity measures may further include other date checking 
procedures, such as checking file creation dates for oth- 
er files on the client's computer to determine if the actual 
date exceeds the ambient date set for the client compu- 
ter, and the like. 

In reference to Fig. 9, a more detailed description 
of a preferred embodiment of the method of the present 
invention is now provided. The user installs an Applica- 
tion Builder 112 on the client computer 102 computer 
(Step 402). The Application Builder 112 is a program 
module provided by a software vendor (such as Sun Mi- 
crosystems, Inc.) or in conjunction with the Application 
Programs made available by the provider on the serv r 
over the distributed computer system. The Application 
Builder acts as a local agent for the Application Program 
provider by performing various security check functions 
and program decryption functions. Application Build r 
1 1 2 builds an encryption key (Step 404) after installation 
on client computer. In the preferred embodiment an RSA 
private/public key pair is generated; however, other 
types of encryption keys may be implemented. 

The user identifies an Application Program that he 
or she is interested in trying out under the try-and-buy 
usage scheme (Step 406), such as for example by using 
a Web browser or the like. An exemplary Web page that 
would be accessed using such a Web browser is illus- 
trated in Fig. 2 and was described above. The user lo- 
cates a program that he wants to try out such as by 
mouse clicking on the Application Program name in th 
palette of submenu 1 69. The user may also request gen- 
eral information prior to selecting an Application Pro- 
gram, or Application Builder for downloading pertaining 
to the try & buy program by selecting menu item 165, 
on the Application Programs available by selecting one 
of menu items 168, on the applicable licensing terms 
and conditions by selecting menu item 166, or general 
information on the Application Builder by selecting menu 
item 167. 

Id ntrfication of an Application Program for trial use 
initiat s a procedur to request a trial lie nse from the 
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try-and-buy server 104 of th distributed comput r sys- 
tem (Step 408). In th pref rredembodim nt, the Appli- 
cation Builder 11 2 acts as th user's ag ntinrequ sting 
th trial (teens for the lected try-and-buy Application 
Program and as th s rver's agent in providing the trial 
application and lie ns .Thisactivat sth Trial Licens 
Application Program Module (TLAPM) 134 in the server 
(Step 410), which confirms that the client computer has 
either a valid licensed copy or valid trial copy of the Ap- 
plication Builder (Step 41 2). 

If the client computer 102 associated with user does 
not have a validly licensed or trial copy of the Application 
Builder, the client is prompted to review the licensing 
terms and to agree to the terms presented before a trial 
copy of the Application Builder is generated and provid- 
ed to the user (Step 414). Acceptance of the license 
terms by the user may be implicit in making the request 
for trial license, or in a preferred embodiment the user 
will be prompted to explicitly agree to the license terms 
before the Application Program (and/or Application 
Builder) is transmitted to the client computer, for exam- 
ple by making an affirmative response to an acceptance 
inquiry after the license terms have been presented, and 
before the trial-and-buy program is sent to the user's 
computer. 

Once the TLAPM 134 in the server has confirmed 
that the client computer has a valid licensed copy or val- 
id trial copy of the Application Builder, it requests and 
receives the user's Application Builder Public Key (Step 
416). 

The TLAPM 134 then generates a Transmission 
Format version 186 of the selected try-and-buy Applica- 
tion Program (Step 41 8). The Transmission Format ver- 
sion 186 is a version of the Application Program gener- 
ated from the Server Format version 180 of the same 
Application Program that is suitable for transmission to 
the user's computer over nonsecure transmission links 
of the Network interconnectivity apparatus 106. The 
Transmission Format version 186 (a) is encrypted with 
the client computer's Application Builder Public Key, and 
(b) optionally includes a header that specifies trial li- 
cense expiration conditions, such as a trial license ex- 
piration date. The trial license expiration date may im- 
pose a hard use date limit, or may impose soft use lim- 
itations. Hard and soft use limitations are described in 
greater detail hereinafter. 

The client computer receives the encrypted Trans- 
mission Format version of the trial Application Program 
and stores it locally on the computer associated with the 
user (Step 420). The encrypted Transmission Format 
version is stored in encrypted form on the client compu- 
ter and is decrypted to generate a decoded version only 
when the application is being loaded for execution by 
the client computer. 

The trial Application Program 117 can only be re- 
ceived from the serv r and stored on the client computer 
in conjunction with xecution fth Application Build r 
112 on the client computer. One the Application Pro- 



gram is stored locally, the client computer can, at a us- 
r's request, rnitiat xecution of th trial Application 
Program (Step 426). The Application Build r then v ri- 
fles that th particular client comput r has a valid licens 

s for that particular program and that the licens to the 
trial Application Program has not expired. 

In one embodiment of the invention, this verification 
includes reading the Application Program file by the Ap- 
plication Builder (Step 428), and then comparing the Li- 

io censee I D 1 84 in the file with a client I D (or a list of Client 
IDs) associated with the Application Builder that is li- 
censed to the client computer (Step 430). It also in- 
cludes comparing the License Termination Date 185 
with the current date (i.e., the computer's ambient date) 

is and verifying that the termination date 1 85 is later than 
the ambient date stored on the client computer (Step 
432). The explicit examination of client ID may not al- 
ways be necessary since the presence of a validly li- 
censed Application Builder 112 may be sufficient secu- 

20 rity to prevent unauthorized use. The Client ID may be 
provided by the Application Builder 112 licensed to th 
client computer. Typically, possession of a valid Appli- 
cation Builder license may establish sufficient trust be- 
tween the Application Program provider and the users 

25 associated with the client computer. 

When the Application Builder has completed verifi- 
cation of the license, it decrypts the trial Application Pro- 
gram (Step 434) using the Application Builder's Private 
Key so that the program may be loaded for execution in 

30 the client computer CPU. As explained above, the 
stored, doubly encrypted control information is decrypt- 
ed using the Application Builder's private key 113 and 
the server's public key 187 and then the decrypted con- 
trol information is used to verify that user's rights to ex- 

35 ecute the trial application program. 

It may be seen that in the preferred embodiment, 
the trial Application Program 117 must be launched 
while running the Application Builder 112, because the 
Application Builder is needed for verification of the li- 

*o cense (Client ID matches Licensee ID and Termination 
date has not passed) and to decrypt the trial version of 
the application into executable code. All control informa- 
tion is verified by the Application Builder against the en- 
crypted copy of the control information, and verification 

*s fails if there is a mismatch. Further, the trial version of 
the application program may include further validation 
steps, such as checking the validity of the Application 
Builder's release number in accordance with predefined 
confidential validity criteria. 

50 In this manner, the time during which the Application 
Program exists in a human readable form is limited in 
time (during execution of the Application Program) and 
in storage location (in processor memory). Limiting the 
time and physical location of unencrypted program code 

55 minimizes the opportunity for unauthorized copying of 
un ncrypted code. Even if th ncrypted program wer 
to b copied, it cannot b used without a licens d Ap- 
plication Builder for that client computer, becaus the 
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matching Application Build r*s private k y, which is 
uniqu for each cli nt computer on which it is installed, 
is required for decryption. 

R strictions and procedur s similar to those de- 
scribed b low for th Application Program may be ap- 
plied t requ sting and rec iving a trial v rsion of the 
Application Builder 112 so that trial versions of the ap- 
plications may be obtained and executed. In the pre- 
ferred embodiment trial versions of the Application 
Builder 112 contain a time bomb that prevents operation 
of the program after a threshold date has passed. 

If the Application Builder in Steps 428-432 deter- 
mines that the Trial License to the Application Program 
has expired, the action taken by the Application Builder 
depends on which of two alternative expiration date pro- 
cedures are implemented: a hard expiration date proce- 
dure or a soft expiration date procedure. 

When a hard expiration date procedure is imple- 
mented, the Application Builder causes a message to 
be presented to the user on the client computer that the 
trial version of the Application Program has expired and 
that the Application Program previously made available 
for use to the user must now be licensed with a new 
license. Under certain conditions, the user may be given 
an opportunity to obtain another trial license; however, 
it is anticipated that if the user is offered more than one 
trial license on the same Application Program, the 
number of such trial licensees offered may be limited to 
minimize possible trial use abuse. For example it is ex- 
pected that where more than one trial license is offered 
for a single application, the total number of opportunities 
will be in the range of one to ten (1-10) and preferably 
in the range of one to three (1 -3) trials. 

If a soft expiration date procedure is implemented, 
the user is warned that the trial version of the program 
has expired, and that while the user can continue to use 
the trial version for a short period of time, by a future 
termination date "year/month/day" it will be necessary 
for the user to obtain a licensed copy of the Application 
Program, or a new trial version, in order for the user to 
be able to continue using the Application Program. 

The soft expiration date version has the advantage 
that the provider is not put in the position of suddenly 
preventing use of its Application Program by the user, 
so that for example, the user may complete a task with 
ample warning. The future termination date given in the 
soft expiration date warning may either be a number of 
days in the future from the expiration date (e.g. 7 day 
grace period) or may be computed as a number of days 
forward from the ambient date on which the warning is 
given to the user. The later procedure has the advantage 
that the program will not expire without some warning to 
the user. Other soft termination date computation 
schemes may also be implemented. Particular termina- 
tion procedures may be provided to different classes of 
users or v n to particular users on th basis of th cli nt 
ID associat d with th Application Builder. 



Claims 

1. Am thod for managing usage of an application pro- 
gram by a user on a distributed computer syst m, 
s said application program being initially stored as a 
stored v rsion of said application program on a 
server coupled to said distributed computer system, 
said method comprising the steps of: 

10 recognizing a user request to access said ap- 

plication program; 

determining whether predetermined access 

conditions are satisfied; 

transmitting a transmission version of said ap- 

15 plication program to a computer associated 

with said userfor receipt and storage only when 
said access conditions have been satisfied; 
verifying prior to execution of said program that 
said user is currently entitled to execute said 

20 received application program; and 

generating an executable version of said appli- 
cation program from said transmission version 
only if said verification is affirmative. 

25 2. The method in Claim 1 , wherein said predetermined 
conditions comprise ownership of a valid license to 
an application builder module which performs said 
verifying and generating steps. 

30 3. The method in Claims 1 or 2, wherein said deter- 
mining step includes: 

providing said user with an opportunity to sat- 
isfy and accept said predetermined but as yet 
35 unsatisfied access conditions; and 

recognizing explicit acceptance of said access 
conditions by said user. 

4. The method in Claim 3, including providing an op- 
^0 portunity to accept a trial license for said application 

program. 

5. The method in Claim 2, wherein said transmission 
version of said application program comprises a fil 

45 that is at least partially encrypted. 

6. The method in Claim 5, wherein said step of gen r- 
ating an executable version of said application pro- 
gram from said transmission version comprises de- 

so crypting said encrypted portion. 

7. The method in Claim 6, wherein 

said transmission version of said application 
program is encrypted with a public key associated 
55 with said user, said decryption is performed with a 
corresponding privat key, and said us r associat- 
ed public key and corresponding privat key are 
generated by said application build rmodul . 



8 



15 



EP 0 778 S12 A2 



16 



A program usag management system for manag- 
ing usage f an application program by a us r as- 
sociated with a client computer on a distributed 
computer network, said syst m comprising: 

a s rver c upled to said distributed comput r 
system and having memory storage for storing 
said application program; 
a controller coupled to said client computer for 
recognizing a user request to access said ap- 
plication program and for determining whether 
predetermined program access conditions as- 
sociated with said application program are sat- 
isfied by said client computer; 
a program file formatter for generating a trans- 
mission version of said program file that incor- 
porates identification information associated 
with said client and a version of said application 
program that is at least partially encrypted, said 
program file formatter responsive to said con- 
troller to generate said transmission version on- 
ly when said access conditions are satisfied; 
a transmitter for transmitting said transmission 
version of said application program to said cli- 
ent computer associated with said user for re- 
ceipt and storage only when said access con- 
ditions have been satisfied; 
a license verifier for verifying prior to execution 
of said application program by said client com- 
puter that the user associated with said client 
computer is currently entitled to execute said 
application program; and 
a program decoder coupled to said client com- 
puter for generating a decoded machine exe- 
cutable version of said application program 
from said transmission version of said applica- 
tion program only if said license verifier verifies 
that the user associated with said client com- 
puter is currently entitled to execute said appli- 
cation program. 



cation program with a corresponding private key, 
and said us r associated public key and corre- 
sponding private k y are gen rat d by said appli- 
cation builder modul . 
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9. The system in Claim 8, wherein said controller in- 
cludes an application builder program module in- 
stalled and executing on said client computer, said 
application builder program module includes said li- *s 
cense verifier and said program decoder. 

10. The system in Claim 9, wherein said predetermined 
program access conditions associated with said ap- 
plication program include receipt of an encryption so 
key from a valid copy of said application builder pro- 
gram on said client computer. 

11. The system in Claim 9, wherein 

said transmission version of said application 
program is at least partially encrypted with a public 
k y associated with said user, said program decod- 
r decodes said transmission v rsion of said appli- 
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